Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / ec6e99816272712ccfb29375446b13654f3a7fe8^! / .
commitec6e99816272712ccfb29375446b13654f3a7fe8[log] [tgz]
authorMarcin Radomski <dextero@google.com>Tue Mar 11 19:06:33 2025 +0000
committerMarcin Radomski <dextero@google.com>Tue Mar 11 19:11:56 2025 +0000
treec14c561518a731c3c632b94c8a1cbac8f73645bd
parent1ca87c72053347af7322a0d1228073a3f0938498 [diff]
init: fix SELinux denials on remounting from new netns

Never mount /sys/kernel/debug/tracing. This is the *one* mount that is
special within Linux kernel: for backward compatibility tracefs gets
auto-mounted there whenever one mounts debugfs [1].

The auto-mounting logic used to be guarded by an Android-specific kernel
config flag in some older Android kernels 5.10 [2], but that patch was
not cherry picked into newer kernels, so the automounting happens
whether we want it or not.

Attempting to mount the filesystem here will cause SELinux denials,
because unlike *all other* filesystems in Android, it's not init who
mounted it so there's no policy that would allow it.

This caused test failures in CI on
aosp_cf_x86_64_auto-trunk_staging-userdebug [3].

[1] https://lore.kernel.org/lkml/20150204143755.694479564@goodmis.org/
[2] https://android-review.googlesource.com/c/kernel/common/+/1664712
[3] https://android-build.corp.google.com/test_investigate/invocation/I06400010375485931/test/TR91729660607423480/

Bug: 399071958
Test: abtd run of aosp_cf_x86_64_auto-trunk
Change-Id: I6692d2b11d26fdcc8ed6411776a955a6d97d9e29

diff --git a/init/service_utils.cpp b/init/service_utils.cpp
index f8821a0..8d9a046 100644
--- a/init/service_utils.cpp
+++ b/init/service_utils.cpp

@@ -98,7 +98,17 @@
         // Look up the filesystems that were mounted under /sys before we wiped
         // it and attempt to restore them.
         for (const auto& entry : mounts) {
-            if (entry.mount_point.starts_with("/sys/")) {
+            // Never mount /sys/kernel/debug/tracing. This is the *one* mount
+            // that is special within Linux kernel: for backward compatibility
+            // tracefs gets auto-mounted there whenever one mounts debugfs [1].
+            //
+            // Attempting to mount the filesystem here will cause SELinux
+            // denials, because unlike *all other* filesystems in Android, it's
+            // not init who mounted it so there's no policy that would allow it.
+            //
+            // [1] https://lore.kernel.org/lkml/20150204143755.694479564@goodmis.org/
+            if (entry.mount_point.starts_with("/sys/") &&
+                entry.mount_point != "/sys/kernel/debug/tracing") {
                 if (mount(entry.blk_device.c_str(), entry.mount_point.c_str(),
                           entry.fs_type.c_str(), entry.flags, "")) {
                     LOG(WARNING) << "Could not mount(" << entry.mount_point